Add feature VCN Default Security List Lockdown

based on var.default_SL_lockdown:
if true, delete all rules from VCN Default Security List
if false, restore the original content of the Default Security List

Issue: #22

Author: kral2

CHANGELOG.adoc

@@ -9,6 +9,7 @@ The format is based on {uri-changelog}[Keep a Changelog].
 
 == unreleased
 * changed input region to be optional (fixes #18)
+* added a new parameter to lockdown the VCN Default Security List and option to revert to original state (fixes #22)
 
 == v1.0.3 (July 13,2020)
 

CONTRIBUTORS.adoc

@@ -9,3 +9,4 @@ CONTRIBUTORS
 
 - @karthicgit
 - @difu
+- @kral2

README.adoc

@@ -77,7 +77,7 @@ Learn how to {uri-contribute}[contribute].
 
 == License
 
-Copyright © 2019 Oracle and/or its associates. All rights reserved.
+Copyright © 2019, 2021, Oracle and/or its associates.
 
 Licensed under the {uri-license}[Universal Permissive License 1.0] as shown at 
 {uri-canonical-license}[https://oss.oracle.com/licenses/upl].

README.md

@@ -1,31 +1,5 @@
 # Terraform VCN for Oracle Cloud Infrastructure
 
-[changelog]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/CHANGELOG.adoc
-[contributing]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/CONTRIBUTING.adoc
-[contributors]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/CONTRIBUTORS.adoc
-[docs]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/tree/master/docs
-
-[license]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/LICENSE
-[canonical_license]: https://oss.oracle.com/licenses/upl/
-
-[oci]: https://cloud.oracle.com/cloud-infrastructure
-[oci_documentation]: https://docs.cloud.oracle.com/iaas/Content/home.htm
-
-[oracle]: https://www.oracle.com
-[prerequisites]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/docs/prerequisites.adoc
-
-[quickstart]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/docs/quickstart.adoc
-[repo]: https://github.com/oracle/terraform-oci-vcn
-[reuse]: https://github.com/oracle/terraform-oci-vcn/examples/db
-[subnets]: https://erikberg.com/notes/networks.html
-[terraform]: https://www.terraform.io
-[terraform_cidr_subnet]: http://blog.itsjustcode.net/blog/2017/11/18/terraform-cidrsubnet-deconstructed/
-[terraform_hashircorp_examples]: https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/terraform-0.12-examples
-[terraform_oci]: https://www.terraform.io/docs/providers/oci/index.html
-[terraform_options]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/docs/terraformoptions.adoc
-[terraform_oci_examples]: https://github.com/terraform-providers/terraform-provider-oci/tree/master/examples
-[terraform_oci_oke]: https://github.com/oracle-terraform-modules/terraform-oci-oke
-
 The [Terraform VCN][repo] for [Oracle Cloud Infrastructure][OCI] provides a reusable [Terraform][terraform] module that provisions a minimal VCN on OCI.
 
 It creates the following resources:
@@ -35,22 +9,26 @@ It creates the following resources:
 * An optional NAT gateway
 * An optional service gateway
 
-This module is primarily meant to be reusable to create more advanced infrastructure on {uri-oci}[OCI] either manually in the OCI Console or by extending the Terraform code.
+It also controls the Default Security List, with a *Lockdown mode* that can be enabled or disabled.
+
+This module is primarily meant to be reusable to create more advanced infrastructure on [OCI][OCI] either manually in the OCI Console or by extending the Terraform code.
 
 ## [Documentation][docs]
 
 ### [Pre-requisites][prerequisites]
 
 #### Instructions
-- [Quickstart][quickstart]
-- [Reusing as a Terraform module][reuse]
-- [Terraform Options][terraform_options]
+
+* [Quickstart][quickstart]
+* [Reusing as a Terraform module][reuse]
+* [Terraform Options][terraform_options]
 
 ## Related Documentation, Blog
-- [Oracle Cloud Infrastructure Documentation][oci_documentation]
-- [Terraform OCI Provider Documentation][terraform_oci]
-- [Erik Berg on Networks, Subnets and CIDR][subnets]
-- [Lisa Hagemann on Terraform cidrsubnet Deconstructed][terraform_cidr_subnet]
+
+* [Oracle Cloud Infrastructure Documentation][oci_documentation]
+* [Terraform OCI Provider Documentation][terraform_oci]
+* [Erik Berg on Networks, Subnets and CIDR][subnets]
+* [Lisa Hagemann on Terraform cidrsubnet Deconstructed][terraform_cidr_subnet]
 
 ## Projects using this module
 
@@ -70,7 +48,35 @@ Learn how to [contribute][contributing].
 
 ## License
 
-Copyright (c) 2019, 2020 Oracle and/or its associates. All rights reserved.
+Copyright (c) 2019, 2021 Oracle and/or its associates.
+
+Licensed under the [Universal Permissive License 1.0][license] as shown at
+[https://oss.oracle.com/licenses/upl][canonical_license].
+
+<!-- Links reference section -->
+[changelog]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/CHANGELOG.adoc
+[contributing]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/CONTRIBUTING.adoc
+[contributors]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/CONTRIBUTORS.adoc
+[docs]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/tree/master/docs
+
+[license]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/LICENSE
+[canonical_license]: https://oss.oracle.com/licenses/upl/
 
-Licensed under the [Universal Permissive License 1.0][license] as shown at 
-[https://oss.oracle.com/licenses/upl][canonical_license].
+[oci]: https://cloud.oracle.com/cloud-infrastructure
+[oci_documentation]: https://docs.cloud.oracle.com/iaas/Content/home.htm
+
+[oracle]: https://www.oracle.com
+[prerequisites]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/docs/prerequisites.adoc
+
+[quickstart]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/docs/quickstart.adoc
+[repo]: https://github.com/oracle/terraform-oci-vcn
+[reuse]: https://github.com/oracle/terraform-oci-vcn/examples/db
+[subnets]: https://erikberg.com/notes/networks.html
+[terraform]: https://www.terraform.io
+[terraform_cidr_subnet]: http://blog.itsjustcode.net/blog/2017/11/18/terraform-cidrsubnet-deconstructed/
+[terraform_hashircorp_examples]: https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/terraform-0.12-examples
+[terraform_oci]: https://www.terraform.io/docs/providers/oci/index.html
+[terraform_options]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/docs/terraformoptions.adoc
+[terraform_oci_examples]: https://github.com/terraform-providers/terraform-provider-oci/tree/master/examples
+[terraform_oci_oke]: https://github.com/oracle-terraform-modules/terraform-oci-oke
+<!-- Links reference section -->

default-resources.tf

@@ -0,0 +1,53 @@
+# Copyright (c) 2021 Oracle Corporation and/or affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+
+# VCN default Security List Lockdown
+// See Issue #22 for 
+resource "oci_core_default_security_list" "lockdown" {
+  // If variable is true, removes all rules from default security list
+  count                      = var.default_SL_lockdown == true ? 1 : 0
+  manage_default_resource_id = oci_core_vcn.vcn.default_security_list_id
+}
+
+resource "oci_core_default_security_list" "restore_default" {
+  // If variable is false, restore all default rules to default security list
+  count                      = var.default_SL_lockdown == false ? 1 : 0
+  manage_default_resource_id = oci_core_vcn.vcn.default_security_list_id
+
+  egress_security_rules {
+    // allow all egress traffic
+    destination = "0.0.0.0/0"
+    protocol    = "all"
+  }
+
+  ingress_security_rules {
+    // SSH for all
+    protocol = "6"
+    source   = "0.0.0.0/0"
+    tcp_options {
+      min = 22
+      max = 22
+    }
+  }
+
+  ingress_security_rules {
+    // ICMP for all type 3 code 4
+    protocol = "1"
+    source   = "0.0.0.0/0"
+
+    icmp_options {
+      type = "3"
+      code = "4"
+    }
+  }
+
+  ingress_security_rules {
+    //ICMP for VCN
+    protocol = "1"
+    source   = var.vcn_cidr
+
+    icmp_options {
+      type = "3"
+    }
+  }
+}

examples/README.md

@@ -78,6 +78,7 @@ module "vcn" {
   vcn_cidr                 = var.vcn_cidr
   vcn_dns_label            = var.vcn_dns_label
   vcn_name                 = var.vcn_name
+  default_SL_lockdown      = var.default_SL_lockdown
 }
 ```
 

examples/main.tf

@@ -25,6 +25,8 @@ module "vcn" {
 
   vcn_name = "vcn"
 
+  default_SL_lockdown = "true"
+
   tags = {
     environment = "dev"
     lob         = "finance"

examples/variables.tf

@@ -82,3 +82,9 @@ variable "vcn_name" {
   description = "user-friendly name of to use for the vcn to be appended to the label_prefix"
   type        = string
 }
+
+variable "default_SL_lockdown" {
+  description = "whether to remove all default security rules from the VCN Default Security List"
+  default     = true
+  type        = bool
+}

schema.yaml

@@ -9,8 +9,8 @@ groupings:
     - vcn_cidr
     - vcn_name
     - vcn_dns_label
-    
- 
+    - default_SL_lockdown
+
 variables:
   region:
     type: oci:identity:region:name
@@ -49,6 +49,12 @@ variables:
     required: true
     default: vcn
 
+  default_SL_lockdown:
+    title: Enable VCN Default Security List Lockdown
+    type: string
+    required: false
+    default: true
+
   tags:
     type: map
     visible: false

variables.tf

@@ -65,3 +65,9 @@ variable "vcn_name" {
   description = "user-friendly name of to use for the vcn to be appended to the label_prefix"
   type        = string
 }
+
+variable "default_SL_lockdown" {
+  description = "whether to remove all default security rules from the VCN Default Security List"
+  default     = true
+  type        = bool
+}